diff options
| author | Paul Gortmaker <paul.gortmaker@windriver.com> | 2013-01-10 11:52:46 -0500 |
|---|---|---|
| committer | Paul Gortmaker <paul.gortmaker@windriver.com> | 2013-01-10 11:53:34 -0500 |
| commit | f22988bfe5d7f2cd4f21f92d8e4b4a35c0838dcd (patch) | |
| tree | 21360877fa874fe1676823aac1220bb0cd91e7d3 | |
| parent | e48863b858303b3156721d6e30b227f6302b6809 (diff) | |
| download | longterm-queue-2.6.34-f22988bfe5d7f2cd4f21f92d8e4b4a35c0838dcd.tar.gz | |
add udf table length patch
As suggested by Ben Hutchings <ben@decadent.org.uk> during review.
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
| -rw-r--r-- | queue/series | 1 | ||||
| -rw-r--r-- | queue/udf-Improve-table-length-check-to-avoid-possible-ove.patch | 32 |
2 files changed, 33 insertions, 0 deletions
diff --git a/queue/series b/queue/series index 5df9c5e..c95eeba 100644 --- a/queue/series +++ b/queue/series @@ -64,6 +64,7 @@ USB-cdc-acm-add-IDs-for-Motorola-H24-HSPA-USB-module.patch #misc udf-Fortify-loading-of-sparing-table.patch udf-Avoid-run-away-loop-when-partition-table-length-.patch +udf-Improve-table-length-check-to-avoid-possible-ove.patch sctp-malloc-enough-room-for-asconf-ack-chunk.patch sctp-Fix-list-corruption-resulting-from-freeing-an-a.patch sctp-ABORT-if-receive-reassmbly-or-reodering-queue-i.patch diff --git a/queue/udf-Improve-table-length-check-to-avoid-possible-ove.patch b/queue/udf-Improve-table-length-check-to-avoid-possible-ove.patch new file mode 100644 index 0000000..e7441d6 --- /dev/null +++ b/queue/udf-Improve-table-length-check-to-avoid-possible-ove.patch @@ -0,0 +1,32 @@ +From faedfa1eeb20336c22559181768713098bff4d28 Mon Sep 17 00:00:00 2001 +From: Jan Kara <jack@suse.cz> +Date: Tue, 10 Jul 2012 17:58:04 +0200 +Subject: [PATCH] udf: Improve table length check to avoid possible overflow + +commit 57b9655d01ef057a523e810d29c37ac09b80eead upstream. + +When a partition table length is corrupted to be close to 1 << 32, the +check for its length may overflow on 32-bit systems and we will think +the length is valid. Later on the kernel can crash trying to read beyond +end of buffer. Fix the check to avoid possible overflow. + +Reported-by: Ben Hutchings <ben@decadent.org.uk> +Signed-off-by: Jan Kara <jack@suse.cz> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/fs/udf/super.c b/fs/udf/super.c +index a48725b..8ab99cf 100644 +--- a/fs/udf/super.c ++++ b/fs/udf/super.c +@@ -1307,7 +1307,7 @@ static int udf_load_logicalvol(struct super_block *sb, sector_t block, + BUG_ON(ident != TAG_IDENT_LVD); + lvd = (struct logicalVolDesc *)bh->b_data; + table_len = le32_to_cpu(lvd->mapTableLength); +- if (sizeof(*lvd) + table_len > sb->s_blocksize) { ++ if (table_len > sb->s_blocksize - sizeof(*lvd)) { + udf_error(sb, "error loading logical volume descriptor: " + "Partition table too long (%u > %lu)\n", table_len, + sb->s_blocksize - sizeof(*lvd)); +-- +1.7.12.1 + |